Security
Security is foundational to forward-deployed work — we operate inside our clients' stacks. This page summarizes our practices and how to report a vulnerability responsibly.
01Our principles
We design engagements so that code lives in your repositories and data stays on your infrastructure wherever possible. We follow least-privilege access and keep a clear audit trail.
02Practices
- Encryption in transit (TLS) and at rest for data we hold.
- Least-privilege, time-bound access to client systems.
- Secrets management and no credentials in source control.
- Code review and eval gates before anything reaches production.
- Background-checked engineers and signed confidentiality agreements.
03Regulated work
For healthcare and fintech engagements we build HIPAA-aware and PCI-aware from day one, and we sign Business Associate Agreements (BAAs) and NDAs where required. See our Data Processing Agreement for processing terms.
04Report a vulnerability
If you believe you’ve found a security issue, please report it responsibly to hello@gigabit.agency. Give us a reasonable window to investigate and remediate before any public disclosure. We do not pursue legal action against good-faith security research.
Our machine-readable contact is published at /.well-known/security.txt.